RE: MS Audit logs



For gathering the logs I always recommend Snare. The client installs and
if you choose so it sets up to capture just about all possible events.
You then choose a location for it to save. This way you can save logs
until you run out of space and decide to delete or back them up. I
believe the Snare server even has some alerting function when it comes
to suspicious log entries based on the event ID.
Here we use Snare clients with a Kiwi server, the Snare server did not
perform very well with higher amount of traffic.

Hope it helps.
Nick

-----Original Message-----
From: Davie Elliott - Eluse [mailto:delliott@xxxxxxxxxxx]
Sent: Sunday, May 21, 2006 8:27 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: MS Audit logs

Hi everyone,

I'm a bit of a newbie administrator, and I have a quick question about
Microsoft windows audit logs.

Right now I have ticked every audit option in the main GPO, so I get
tons of
audit objects to trawl through every week.
I was reading somewhere that MS Audit logs cycle or something so after
24
hours I have lost some audit objects.
Also, I don't really know what I'm looking for in the audits logs
anyway...
except for maybe checking if some users accounts have been used when
they
shouldn't have.

Anyways, I was wondering what software would be good for managing the
audit
logs?... I think I read a blog from an MS employee saying someone should
use
3rd party software for managing the audit logs instead of the built-in
windows thing.

Thanks for your help,

Davie.



Relevant Pages

  • RE: MS Audit logs
    ... Microsoft windows audit logs. ... can set up the log to overwrite the oldest entries as needed (sounds ... 3131 South Las Vegas Blvd, Las Vegas, NV 89109 ...
    (Security-Basics)
  • Re: Dealing with BSM Audit Logs
    ... I am in search of tools to deal with audit logs. ... example, I suspect that this noise is from ufsdump/restore, ...
    (Focus-SUN)
  • Re: SQL 2000 Lockout?
    ... Yes we do have audit logs and monitor the Failed Attempts but just was ... With SQL Server 2000, there is nothing native to do this. ... If you server is set to Audit Failed Logins, ...
    (microsoft.public.sqlserver.security)
  • Re: Audit Logs
    ... >>I enabled the audit logs for object access on the ... The local computer Event Viewer is ... >> could check on these logs. ...
    (microsoft.public.win2000.group_policy)
  • Re: Audit Logs
    ... >I enabled the audit logs for object access on the default ... > domain policy. ... The local computer Event Viewer is showing ... > could check on these logs. ...
    (microsoft.public.win2000.group_policy)